ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "L (JIRA)" <j...@apache.org>
Subject [jira] [Created] (WSS-651) Incorrect signature if document has WSU_NS declared on SOAP Header or Envelope
Date Sun, 26 May 2019 19:01:00 GMT
L created WSS-651:
---------------------

             Summary: Incorrect signature if document has WSU_NS declared on SOAP Header or
Envelope
                 Key: WSS-651
                 URL: https://issues.apache.org/jira/browse/WSS-651
             Project: WSS4J
          Issue Type: Bug
          Components: WSS4J Core
    Affects Versions: 2.2.3
            Reporter: L
            Assignee: Colm O hEigeartaigh


I have run into a problem with documents signed by WSS4J 2.2.3: the "other side" is rejecting
some of documents signed by WSS4J 2.2.3.

After some investigation I could manage to reproduce it and make WSS4J reject its own signed
documents.

The problem can be reproduced quite easily with modified org.apache.wss4j.dom.message.SignatureTest:

I have copy pasted method testSignedTimestamp() and modified it slightly. This is full source
code of the new method:

 
{code:java}
    @Test
    public void testSignedTimestamp1() throws Exception {
        Document doc = SOAPUtil.toSOAPPart(SAMPLE_SOAP_MSG_WSU_NS);
        WSSecHeader secHeader = new WSSecHeader(doc);
        secHeader.insertSecurityHeader();

        WSSecTimestamp timestamp = new WSSecTimestamp(secHeader);
        timestamp.setTimeToLive(300);
        timestamp.build();

        WSSecSignature builder = new WSSecSignature(secHeader);
        builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");

        // Makes no difference, tested with it and without it.
        // Added to test because my code sets it to false
        // builder.setAddInclusivePrefixes(false);

        WSEncryptionPart encP =
            new WSEncryptionPart(
                "Timestamp",
                WSConstants.WSU_NS,
                "");
        builder.getParts().add(encP);

        builder.prepare(crypto);

        List<javax.xml.crypto.dsig.Reference> referenceList =
            builder.addReferencesToSign(builder.getParts());

        builder.computeSignature(referenceList, false, null);

        String  outputString = XMLUtils.prettyDocumentToString(doc);

        if (LOG.isDebugEnabled()) {
            LOG.debug("After Signing....");
            LOG.debug(outputString);
        }

        // !!!!
        // Makes all the difference: validating just signed document works,
        // validating serialized and parsed document does not
        Document  doc2 = SOAPUtil.toSOAPPart(outputString);
        // Document  doc2 = doc;

        verify(doc2);
    }

    public static final String SAMPLE_SOAP_MSG_WSU_NS =
        "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
        + "<SOAP-ENV:Envelope "
        +   "xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" "
        +   "xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" "
        +   "xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" "
        // !!!!
        // Makes all the difference: uncomment it and validating the serialized
        // and parsed document fails
        // +   "xmlns:u=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"
"
        +   ">"
        +   "<SOAP-ENV:Body>"
        +       "<add xmlns=\"http://ws.apache.org/counter/counter_port_type\">"
        +           "<value xmlns=\"\">15</value>"
        +       "</add>"
        +   "</SOAP-ENV:Body>"
        + "</SOAP-ENV:Envelope>";{code}
 

 

Important parts marked with '!!!!' comments:
 # You need to verify the document after it was serialized and parsed back. Then the verification
fails. Verifying the signed document "in memory" succeeds.
 # The original, to be signed, document must have WSU_NS namespace with some prefix other
than 'wsu' declared on any ancestor of the to be inserted wsse:Security

 

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message